[HN Gopher] Temptations of an open-source Chrome extension devel...
___________________________________________________________________
Temptations of an open-source Chrome extension developer
Author : hk__2
Score : 495 points
Date : 2023-08-09 18:28 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| amadeuspagel wrote:
| The root problem here is that there's no legitimate way to
| monetize browser extensions. Extensions are meant to be simple,
| so it's hard to sell premium features. Extensions usually don't
| "own" any space to embed ads in.
| jshier wrote:
| You can easily monetize Safari extensions by selling them
| through the App Store.
| lapcat wrote:
| I wouldn't say "easily", but you can.
| ezekg wrote:
| I don't think this is necessarily true. I run a software
| licensing API with quite a handful of customers running browser
| extensions with respectable user bases.
|
| So there are monetization opportunities, just like any other
| distribution channel.
| burkaman wrote:
| An extension user could theoretically be willing to pay for the
| value the extension provides them. The malicious actors sending
| these emails are willing to pay for the value that a user's
| data provides them. These two numbers are not related in any
| way, and the value of user data will often be much higher than
| the value of the extension's functionality.
|
| There is no way for monetization to solve this, because the two
| potential customers are not purchasing the same product.
| hot_gril wrote:
| Agreed. We've already seen user data win over paid software
| in other spaces. Someone charitable or just not-so-bad has to
| buy it out instead.
| hot_gril wrote:
| Might at least make these attacks harder if users could disable
| extension updates, or had to opt into them. Most of these
| extensions are simple and don't really need to be updated, yet
| the update mechanism is silent full auto bada bing bada boom no
| rollbacks. I can't think of any updates more aggressive, not
| even Steam.
| danShumway wrote:
| Yet another opportunity to recommend Firefox to readers.
|
| I'm not sure I advise doing it, but you can go to
| about:addons and hit the gear icon and you can uncheck
| "Update Addons Automatically". Even better, click on an
| extension and under the "details" tab there's an option _per-
| addon_ to set whether you want automatic updates or not, so
| you can disable updates just for the one addon you don 't
| trust (or enable updates just for the one addon you do
| trust).
|
| Also, want to run older version of an extension? The Mozilla
| Addons page for each extension has a list of every release
| and you can download each version independently as a signed
| XPI file if you want to sideload it.
|
| The big thing I wish Mozilla would add is self-compiled
| releases like F-Droid does, especially since their ill-
| advised signing process means it's hard for users to compile
| an extension from source -- it's way too easy for a submitted
| extension to deviate from its source code. But that
| (admittedly large) issue aside, Firefox offers a lot of
| control for users who want to manage their own extension
| versions. Forced automatic updates are a Chrome problem.
| 6DM wrote:
| I think the only way is to treat access like we do web apps,
| then enable/disable features accordingly.
|
| That's kinda lame because now you have to have a backend setup,
| just so you can charge for some features.
| Chabsff wrote:
| The issue with that is that "Gets to read and/or write the
| DOM" happens to be the only permissions a nefarious extension
| needs while also being those that a vast number of useful
| extensions require.
| jcparkyn wrote:
| That's why it'd be nice to have a general "access the
| internet" permission, since DOM reads are usually harmless
| if they can't get any data back.
| 6DM wrote:
| I think you're thinking from the browser level. I was
| thinking from the standpoint of what I could do as an
| extension developer.
|
| If we approach it from that angle, then your extension can
| only restrict access to it's features via a round trip to
| your own servers to validate access and/or show a checkout
| view to purchase access.
| sorokod wrote:
| Do you believe that if there was a way to monetize extentions
| devs would not be approached by data thives?
| winwang wrote:
| Not the OP, but I'd presume that it would be significantly
| less tempting to sell out.
|
| Everyone has a price, and when everything is going smoothly,
| that price goes up.
| 6DM wrote:
| Not sure if sarcasm but will respond as if it's not.
|
| There are lots of business models to choose from
| - subscription - affiliate links - sponsors
| - one time charge, this one is tricky as restricting access
| requires a back-end that needs ongoing maintenance and server
| costs
|
| [edit: formatting, spelling]
| sorokod wrote:
| It is not clear what problem you are solving.
|
| Extension devs know the rules of the game up front and have
| no expectation of profit.
| 6DM wrote:
| I may have misunderstood your prior comment so please
| excuse me if I got it wrong. The problem I was solving
| was how to make money from an extension that I publish. I
| was outlining different business models where you could
| give the user access to the extension, and make money
| without having to accept this arrangement with data
| thieves.
| sorokod wrote:
| I don't see this as problem that needs to be solved. It
| is freeware from the start.
|
| It's wonderful that people are willing to share their
| knowledge and time for free - why not let it be the way
| it is?
| jabradoodle wrote:
| Perverse incentives being one, you make the extension for
| free, for the purpose of selling out later.
|
| Project being maintained by a single dev being another,
| there needs to be incentive to keep the project going and
| not abondon or sell out.
| bavarianbob wrote:
| I believe problem isn't the right word. I think OP is
| challenging your assumption that it's inherently
| freeware. There are methods for monetizing an extension
| and they're infrequently used or associated with a much
| larger experience (e.g. my BitWarden extension is
| critical for using BitWarden, but I pay for BitWarden's
| subscription elsewhere).
| hamburglar wrote:
| Yes, most extension devs probably start out with no
| intentions of profit. They wrote their extension to
| scratch an itch. However, once they get an installed base
| and start getting offers to do shady stuff, it seems
| obvious that they might be tempted by easy money. If they
| had a more legitimate way to make money, they may be less
| tempted by the shady stuff.
| sorokod wrote:
| That is indeed obvious but I'd argue that in this case
| the problem is weak moral spine. Fortifying it with money
| will not make it go away.
| ezekg wrote:
| > one time charge, this one is tricky as restricting access
| requires a back-end that needs ongoing maintenance and
| server costs
|
| If a browser extension is allowed to use license keys (not
| sure on the various store rules i.r.t. browser extensions),
| you could create a timed license key that is
| cryptographically signed.
|
| No back-end required for that.
| brucethemoose2 wrote:
| The root problem is that extensions are such a good platform
| for ads/tracking.
|
| If monetization was better, it would just end up like Google
| Play, with adtech spam crowding out the "legitimately"
| monetized apps.
|
| Dracionian restrictions on web access (like requiring a prompt
| whenever an extension wants to upload/download data) might help
| a little.
| butz wrote:
| Google could easily find a way to display ads for all
| extensions: pre-roll ads before extension launches, mid-roll
| ads when user is using extension for some period of time; not
| sure what is stopping them.
| jaredsohn wrote:
| There used to be.
|
| https://developer.chrome.com/docs/webstore/money/
|
| "The web has come a long way in the 11 years since we launched
| the Chrome Web Store. Back then, we wanted to provide a way for
| developers to monetize their Web Store items. But in the years
| since, the ecosystem has grown and developers now have many
| payment-handling options available to them."
| arcticfox wrote:
| Another failed Google product...of course every company has
| huge back catalogs of deprecated products but the sheer % of
| fails by Google is almost unbelievable.
| lapcat wrote:
| This is the reason I removed my extension from the Chrome Web
| Store.
| danjc wrote:
| Unbelievable how persistent redacted were over the years.
| kojiromike wrote:
| "And how do you spell your name, sir?"
|
| "It's lowercase-italics 'r', lowercase-italics 'e', lowercase-
| italics 'd', lowercase-italics 'a', lowercase-italics 'c',
| lowercase-italics 't', lowercase-italics 'e', lowercase-italics
| 'd'"
|
| "Ha, ha, your name is 'redacted'?"
|
| "No"
| tomjen3 wrote:
| Oh, it didn't occour to me before but you could have so much
| for naming your child redacted.
| kmeisthax wrote:
| Ruffle's official e-mail inbox is chock full of these. The sums
| of money being offered for a free and Free extension are so high
| that I can only assume the buyers are looking to load it up with
| whatever malware won't immediately get it banned by Google or
| Mozilla[0].
|
| My personal opinion is that you shouldn't be allowed to transfer
| an extension between owners without prior approval and vetting of
| the new ownership structure. This should deliberately be harder
| than just setting up a new extension, because new listings won't
| have reviews or trust associated with it. I'm saying this as the
| person who occasionally gets caught on the business end of some
| of these policies[1] and knows how much of a pain it is to
| navigate bureaucracy. The underground extension sales marketplace
| is incredibly sketchy and plays fast and loose with user trust.
|
| [0] Joke's on them, our AMO listing is already flagged for
| machine-generated code (because we use Rust/WASM), so our
| extension submissions only get approved if Mozilla is able to
| reproduce our builds byte-for-byte.
|
| [1] https://ruffle.rs/blog/2023/04/23/mozilla-extension-
| postmort...
| latchkey wrote:
| If you do anything with web3 crypto or even money, always use
| different browser profiles.
|
| The profiles that you use for Metamask, don't install _any_
| extensions into those beyond MM.
| quickthrower2 wrote:
| Extensions that you activate when needed on a per tab basis
| would be good. Also treat it as an opt in on a per site basis
| shadowgovt wrote:
| Stuff like this is why Google is pushing manifest v3.
| mthoms wrote:
| How does manifest v3 combat this?
| shadowgovt wrote:
| Without the additional constraints manifest v3 puts on what
| code an extension can run at runtime, an extension author can
| just slip some "grab some code from a server I control and
| eval it" logic into their extension, which Google can't vet.
| That makes it possible for an extension that was fine
| yesterday go to "harvesting your PII to send to a company
| that is building an AI based on your click frequency" today
| with no change indicated; just a silent "Oops I'm malicious
| now" shift.
|
| All cards on the table: Google does a not-great job of
| protecting against _intentional_ malicious changes last I
| checked, i.e. they 'll pass through a lot of new extensions
| and extension updates that do shady stuff behind the scenes.
| But without some lockdown on arbitrary code execution (which
| Mv3 provides), the problem is theoretically impossible to
| solve.
| bensecure wrote:
| Detect if the extension downloads and executes arbitrary
| code, and ban it if it does. That should be just as easy to
| detect as detecting that the code does something bad
| directly. In fact, the way extension policing works is
| (afaik) completely reactive: if someone reports that an
| extension is doing something bad, then the extension/the
| developer thereof is banned. No/minimal policing is done at
| the time of publishing. The exact same policy applies
| unchanged to extensions that download malicious code
| instead of packaging it directly: wait until someone
| complains about the malicious code, ban the extension for
| having malicious code.
| shadowgovt wrote:
| In manifest v2, downloading and executing arbitrary code
| is a feature.
|
| What you're describing _is_ the migration path from v2 to
| v3. "Detect if the extension downloads and executes
| arbitrary code, and ban it if it does" is isomorphic to
| "deprecate the eval arbitrary code permission, cease
| supporting it in the store, and provide an alternative
| declarative model to get some of the behavior back;" it's
| what Google is trying to do.
| bensecure wrote:
| It's a composition of two features, both of which are
| useful on their own. Removing this "feature" requires
| removing at least one of those sub-features, in this case
| eval. We could alternatively allow eval to be used, but
| ban it from being used on code downloaded from the
| internet. This would require vetting the code, rather
| than a fully automated check. The goal of such a removal
| is, supposedly, to enable manual vetting to be more
| effective. However, the only reason to prefer an outright
| removal over a conditional ban is that it obviates the
| need for manual review. Do you see the contradiction?
| shadowgovt wrote:
| > This would require vetting the code, rather than a
| fully automated check.
|
| Then it's a non-starter for the manifest format supported
| by the chrome web store. Because Google's goal is to
| automate as much as possible.
| bensecure wrote:
| Naturally. Thus, it doesn't much matter whether code is
| shipped in the extension package, or downloaded off the
| internet, since nobody will be checking what it does
| regardless.
| NelsonMinar wrote:
| So much sleaze with extensions, it's nice to see it documented.
| Have to be honest the name "HoverZoom" was spoiled for me because
| it was one of the first fraud extensions I was a victim of. Nice
| to see this open source fork with an author concerned about the
| problem.
|
| These days I pretty much only install open source extensions.
| Ironically I was using Imagus, just switched to HoverZoom+ thanks
| to this post.
| mickelsen wrote:
| I discovered Imagus yesterday thanks to another thread in here
| about extensions, and today I read this.
| sphars wrote:
| I too was a heavy user of imagus, until it stopped receiving
| updates and the owner went silent. I know there's a subreddit
| with some people picking it back up, but I've moved on to HZ+
| now. And it's for reasons like the maintainer of HZ+ standing
| up morally being one of the reasons.
| kotaKat wrote:
| I have an extension I wrote that is literally for a single
| regional website to do some extra blocking to get around a
| paywall. There are under 10 installs total. For some reason, the
| most recent monetization email I got thought it was 10,000.
|
| > I'm reaching out to discuss a unique monetization opportunity
| for your extension, <name>, through our exclusive Premium Bing
| Hosted Product. > I'm thrilled to let you know that this
| invitation-only product offers the chance to earn as much as $500
| per month for every 1000 users. Given that your extension has a
| user base of 10K, you stand to make up to $5000 monthly just by
| integrating the search functionality into your extension. This
| could be a significant source of passive income, and I truly
| believe it's an opportunity you won't want to pass up.
|
| I... I... I know the 10 installs are all basically /my
| devices/...
| hamburglar wrote:
| You should counter by offering to sell them the whole thing for
| a flat price and then have all your users (you) switch to a new
| extension that does the same thing under a new name. :)
| tysam_and wrote:
| Okay, even better, to follow on another user's idea and up
| the ante:
|
| Fake extensions created under burner dev accounts (w/ fake
| identities), astroturf the installs like crazy. Use ChatGPT
| to write the code, pump it out like chocolate out of Willy
| Wonka's Fudge Sludgefest.
|
| Sell to scammers/info scalpers for a flat fee via a non-
| refundable route under a semi-reputable escrow, rinse and
| repeat.
|
| The one downside is if you do that to somebody bad, and
| you've left any personal info out by accident....
|
| Additionally, it's highly unethical. Don't do this. But it
| seems like 'easy money', the whole 'curse of maybe getting
| doxxed and XYZ from a sufficiently-motivated data thief'
| aside.
| ConorSheehan1 wrote:
| I got this too! For an extension that doesn't even work anymore
| after manifest v3
| imoreno wrote:
| >Monetizing anonymous user data is happening on almost every
| website we visit - you may be leaving alot of money on the table
| by not monetizing your anonymous user data. Try dowloading
| Ghostry to see for yourself.
|
| Some people have no shame at all. It's like the caricature of the
| Devil from a Sunday Morning cartoon, offering you riches and
| power untold for the low, low price of your soul.
|
| Like dude, how do you know what Ghostery is and don't get why
| people use it?
| collaborative wrote:
| I don't know what the solution to this is, but I know a few
| trusted/legitimate companies that sell their user data for around
| PS20/year even after having monetized their users with actual
| money
|
| I will never do this because violating privacy goes against the
| core of my beliefs, but there is a conflict I can't seem to work
| out. On the one hand, I KNOW that the vast majority of users
| prefer to sell their privacy than pay a single penny. They would
| gladly click on a "sell my data" over a "pay money" button any
| day of the week. I know this because I have interacted with
| enough users to know these things. Many users will suffer a fit
| when things are not free but won't lose any sleep over giving
| away their personal details. Again, I speak of the majority and
| in general terms
|
| On the other hand, I want the internet to be a place where
| unscroupulous actors don't flourish. Most people don't expect to
| get things for free in the real world, why should the internet be
| any different? Why does everyone (myself included) always look
| for free stuff on the internet?
|
| The worst bit of it all is that in the end, the only people
| interested in spending money online are data thieves and
| advertisers. Everyone else is giving their soul. Developers are
| somehow expected to work for free so that this entire edifice can
| stand
| zamadatix wrote:
| I've never had much a problem with informed decision. What rubs
| me the wrong way is when these apps hide the data monetization,
| require it, or don't offer any way to use the service except to
| opt in. It particularly sucks for services I can't even opt to
| not participate in, e.g. my work just went live with "The Work
| Number" service from Equifax so my data is already there
| whether or not I make an account. Even worse, not making an
| account just leaves it open that someone else might try to
| create an account as part of gathering even more involuntarily
| shared information about me.
|
| When it comes to what people chose to do with their own data
| though I don't feel a moral obligation to push my views though.
| If they truly want to opt in and save the $20 (or however much
| the data is worth in the app) then taking that choice away
| because I disagree with how they should treat their privacy
| information is hardly much better than forcing them to because
| of the same reason. The main difference for me being whether or
| not I profit off it but, given choice in each case, that really
| doesn't matter to how the user weighs the situation.
| yukIttEft wrote:
| Name the companies!
| thwarted wrote:
| The Internet has no easy to use fully-anonymous cash
| equivalent. If you pay for something, you're giving away your
| identity information anyway. The value exchange is definitely
| lopsided, but if I have to share my identity AND pay to get X,
| I'm out money AND shared my identity info. If I share my
| identity info and get X for free, at least I'm not out the
| money.
| jlnho wrote:
| Can you hear that? It's the sound of a distant crypto-bro
| stampede coming your way!
| kmeisthax wrote:
| Extensions are centrally distributed on platforms that could
| at least nominally handle payment. The problem is that $0.01
| is infinitely more expensive than free.
|
| In order for me to pay you, I at a minimum have to do some
| amount of mental gymnastics to convince myself that it's
| worth it for me to pay you. This has a perceived cost even if
| the money spent is trivial. This is why people who take money
| in small increments - i.e. mobile games, arcade operators,
| casinos, and so on[0] have you buy a large amount of some
| scrip that they control, and then make it so easy to spend it
| that you might accidentally do so.
|
| Nobody is thinking "I'd buy this, but only if I can leave no
| record of ownership[1]", they're thinking, "is it actually
| worth buying". Identity and privacy isn't a thing that people
| actually account for when making purchases - mostly because
| it's never actually mentioned[2] in the terms of purchase.
| It's snuck in. So the choice is just "the free one" and "the
| $2 one", where the value of the $2 extension can never hope
| to overcome the mental transaction costs.
|
| [0] Nintendo and Microsoft used to do this around the Wii and
| 360 eras. While on the Wii it was 1 point equals 1 penny/yen,
| Xbox did something nasty and made it 80 points equals 1
| dollar.
|
| [1] That would mean that setting up a new computer or browser
| profile loses you all your existing extensions that you paid
| for.
|
| [2] I do not consider legal disclaimers to be adequate
| notice, and neither should you. Dropping a clause in a EULA
| is the equivalent of dropping rohypnol in your drink.
| wintermutestwin wrote:
| >They would gladly click on a "sell my data" over a "pay money"
| button any day of the week.
|
| You don't know that because no one is given a clear choice like
| you present (and even saying "data" is opaque to joe average
| user). And this is what regulations like EU's and CA's should
| be enforcing. Imagine if the choice was: We have this data
| about you (a comprehensive list of all the fruits of our creepy
| stalking: a,b,c,d, etc...), if you let us violate your privacy
| in a myriad of ways, we will let you have this little trinket
| for free. Otherwise, it will cost you x. How many people would
| select privacy violation?
|
| >Most people don't expect to get things for free in the real
| world, why should the internet be any different? Why does
| everyone (myself included) always look for free stuff on the
| internet?
|
| Most of the internet is communication in some form or another.
| I get a lot of communication for free in the real world. My
| question is: why does everyone assume that the purpose of the
| internet is their platform to get rich selling trinkets to
| clueless natives? Maybe some things are better off run as a
| non-profit?
| jefftk wrote:
| _> this is what regulations like EU 's and CA's should be
| enforcing. Imagine if the choice was: We have this data about
| you (a comprehensive list of all the fruits of our creepy
| stalking: a,b,c,d, etc...), if you let us violate your
| privacy in a myriad of ways, we will let you have this little
| trinket for free. Otherwise, it will cost you x. How many
| people would select privacy violation?_
|
| Unfortunately under the GDPR we are not going to find out how
| many people would choose this option. It isn't legal, in the
| EU, to refuse someone access if they say no to your data
| collection.
| Chatting wrote:
| It _is_ legal[1] to require users to agree to data
| collection or pay a subscription. Some news sites have
| already begun to implement this scheme.
|
| [1] At least according to some countries' DPAs, and as long
| as the price is "fair".
|
| https://www.iubenda.com/en/help/24487-cookie-walls-gdpr
| [deleted]
| imoreno wrote:
| >They would gladly click on a "sell my data" over a "pay money"
| button any day of the week.
|
| Even though many people assume it's this way, this choice
| hardly ever happens in practice. You allude to this yourself.
| In reality, the choices are usually between paying for
| something and they still sell your data, and getting it free
| and they _really_ sell your data.
|
| The majority of paid services have privacy policies, terms of
| service and user agreements that spell out how they sell data
| just as much. At best, you might expect that they are a bit
| more selective in _who_ they sell to, since they 're not as
| desperate for cash flow. However the impact to you is greater -
| they now have your credit card, address, full name, phone
| number (all vulnerable to hacks and leaks) and it's harder to
| lie about these things than with a free account. So the data
| they collect is _more valuable_ , hence the temptation is
| higher as well.
|
| Moreover, the paid services have consumer-hostile subscription
| systems rife with dark patterns. It's needlessly tedious to
| cancel a service if you decide you don't like it, and even free
| trials demand a credit card.
|
| Transparency is very low about what is actually done with your
| money as well. Many services operate at a loss, and the
| customer charge is just a fig leaf while the real money comes
| from investors. Arguably, the paid model is a sham for some
| companies and their real exit is to collect data for a years
| and then get bought by some data aggregator. On the other end
| of the spectrum you have people fishing for suckers with
| ridiculously inflated prices.
|
| For these reasons the choice of paying money is tainted by lack
| of trust, it is not just consumers being stingy and entitled.
| Lack of trust can quickly bog down any market.
|
| I don't really blame the industry here, though. It's a bit like
| California in 1848 - you can hardly blame people for picking up
| the gold that's just lying around. The real problem is that we
| don't have the tools, infrastructure and regulatory frameworks
| that let users see and control how their data is used. If
| people really want to sell their data in lieu of payment, then
| let them. But currently, most users are not aware exactly what
| data gets collected and how much it is worth - they're not able
| to rationally decide that paying $5 for an app is better than
| being mined for $20 worth of your data.
| eviks wrote:
| The solution of for the app store owner to develop a better
| monetization scheme that would reward developers
|
| + track change of ownership
|
| + some distributed review system
|
| + better sandboxing
|
| + no forced autoupdates
|
| + A few other things
| Firmwarrior wrote:
| Man, that would be nice
|
| World of Warcraft has an in game ui addon modding system
| built in that ends up suffering from these same problems.
| It's so damn frustrating to see addon developers sell out
| their fans to a super shady spyware company for like $3/month
| (and the alternative is $0)
|
| I could understand betraying people for a life-changing
| amount of money, but PS20 is 5-20 minutes' worth of pay for a
| competent SWE...
| rplatimer wrote:
| I built an extension called Repibox that pulls the recipe out of
| any website that has instructions/ingredients in the meta data
| and displays it immediately. First time I got an acquisition
| email was exciting, but then I realized any acquisition would do
| a disservice to my friends/family who use my extension.
| sergiotapia wrote:
| Hard to turn down $20k/month for doing basically nothing. Props
| to the author.
| extesy wrote:
| It wouldn't be a long-term income anyways. Most likely Google
| would block the extension within weeks. So it's more like $20k
| total, not per month.
| p1mrx wrote:
| It's only $20k/month if (1) their number is truthful, and (2)
| Google doesn't ban your extension for serving malware.
| riskable wrote:
| This assumes the offer is legit. I seriously doubt even the
| most nefarious extension nonsense is actually going to bring in
| $20k/month. Even if there's millions of users.
| plorkyeran wrote:
| Yeah, I've received plenty of similar offers over the years
| and I'd have been a lot more tempted if I actually believed
| any of the numbers.
| ajross wrote:
| That's exactly it. The "extension monetization" field is a
| product area fundamentally designed to scam its users.
| _Clearly_ they 're not going to shy away from scamming their
| suppliers. They just need to fool the authors into giving
| them control before taking payment, then they move on to the
| next mark.
| [deleted]
| sdflhasjd wrote:
| And if you run a website you get constant emails like this:
| Hey There, I wanted to reach out and see if
| <website.com> accepts guest post contributions or link insertion
| in existing posts? If so, I'd love to hear more about your
| guidelines and any specific topics of interest. Thank
| you for your time, and I'm looking forward to your response.
| Best Regards,
|
| These ones are definitely spammed out en-masse, my site doesn't
| even have a blog.
|
| My site also has some Windows software downloads on it, and I
| occasionally get emails for bundling dodgy installers. Most of
| these tend to be "residential proxy" services looking to sell
| access to users' internet connections.
| koonsolo wrote:
| You just saved me some work, thanks!
|
| I also get these emails but run a WordPress site. I was
| convinced they would fingerprint websites and mail those to
| these sites only.
|
| It was on my todo to see if I could hide the fingerprint of
| WordPress.
|
| But now that you mention this, it's obvious it wouldn't do
| much. In hindsight, I could have know these spammer would just
| spam everybody in bulk.
| sdflhasjd wrote:
| Masking your WordPress install is a pretty good idea for
| plenty of other reasons though, just hiding wp-login will
| save you a lot of headache with bots wasting your CPU cycles
| and bandwidth trying to bruteforce.
|
| Sounds like a challenge to hide the wordpressyness entirely
| though, it's got a huge surface area.
| mschuster91 wrote:
| > My site also has some Windows software downloads on it, and I
| occasionally get emails for bundling dodgy installers. Most of
| these tend to be "residential proxy" services looking to sell
| access to users' internet connections.
|
| I wonder what these people are thinking? Like, TOR operators
| know the risks with connection sharing - most particularly:
| pedos using their service to share CSAM. But everyday people?!
| They have no idea until one day they get v&.
| kccqzy wrote:
| Prey on users who don't know the difference. Sell the
| residential proxy service to scammers who use high-reputation
| residential IPs to commit crime or fraud or other shady
| things.
| bornfreddy wrote:
| I think these services are used mainly for scraping sites
| which try to hide their data (think LinkedIn). They don't
| offer any protection to those that are breaking the law,
| afaik. So I would expect that there isn't much risk of
| putting their victims ("endpoints") in trouble with the law.
|
| Not condoning it of course, it is still an ugly practice.
| sdflhasjd wrote:
| I've read through some of Brian Krebs' articles on some of
| these proxies, the ones I get these email offers from seem
| a little less slimy than that and more above board like you
| say. It's still not an acceptible thing to be seeling your
| users out to though.
| latchkey wrote:
| This is my favorite sort of email that we get about once a
| month in various forms... their title at the end is hilarious.
|
| ---
|
| Subject: Found a security vulnerability on your website.
|
| Hi Team, I am Harris, a security researcher, and I have found a
| security vulnerability in your website outside a bug bounty
| program.
|
| I can disclose all the vulnerabilities found and their proper
| fixes too, to make your website more secure.
|
| Companies I helped have always been generous and helped me back
| with rewards in amounts they think are appropriate to the
| issues I have found. If you appreciate my help, I'd be happy to
| receive a bonus payment via PayPal, Bitcoin, Payoneer, or Bank
| Transfer.
|
| Waiting for a positive response from your end.
|
| Thanks and Regards,
|
| Harris A
|
| Certified Ethical Hacker
| sdflhasjd wrote:
| On the off chance you entertain these individuals, it's
| usually something really dull an automated scanner picked up.
| imoreno wrote:
| What happens if you don't pay? Or do they expect you to pay
| up front for essentially a pig in a poke?
| sdflhasjd wrote:
| The last one I engaged with only mentioned payment after
| the fact (along with wanting me to hire them to do a full
| pentest).
|
| I just ignored them and that was it.
| gochi wrote:
| To see this many aggressive offers over an extension with ~300k
| users, it makes you wonder how intense the offers are for the
| likes that reach in the millions.
|
| The incentives seem entirely misaligned in the extension space.
| iza wrote:
| Yep, I've been getting these emails since 2014, around 200 in
| total. My extension has had between 30,000 and 100,000 active
| users. They often quote up to $500 a month per 1000 users, which
| sounds too good to be true.
| s-xyz wrote:
| I don't see the harm of monetizing something great. You could
| also say that its a way to reward the good work.
| Meta4245 wrote:
| This is data collection, not monetization
| jsnell wrote:
| I wonder whether there exists a cottage industry of fake
| extension writers pumping up their numbers with fake installs,
| all with the goal to sell the fake extensions to these scammers.
| Buttons840 wrote:
| You make the extension. I'll use bots to inflate the stats and
| make it look used. You pretend to not notice and sell-out. We
| split the profits. Fraud as easy as 1-2-3.
| hot_gril wrote:
| I also wonder how they make these sales. Is there an escrow for
| this? Are Chrome extension transfers non-reversible? Can't
| imagine such a shady deal is safe for either party.
| david422 wrote:
| If you put something out on the web that gets somewhat popular,
| you are going to get all sorts of scummy people contacting you.
|
| The first one that happened to me: I have a domain name and
| someone emailed me to let me know, as a courtesy, that someone
| was buying similar Chinese domain names and did I want to get
| them first. I thought that was nice that they were notifying me
| ... oh wait, they're just trying to get me to buy their domain
| names.
|
| People contact me about redesigning my website, buying my
| website, exchanging links, straight up spamming my website. It's
| really strange.
| aembleton wrote:
| Android apps too. Always getting offers to have some code
| added.
| quickthrower2 wrote:
| I used to reply, with the same offer "i can help complete YOUR
| set"
| jjcm wrote:
| Of all of these, I appreciated the one from 05/11/2016 the most.
| It felt the least shady because they were very up front with the
| scope and the data collected (which was narrowly focused), and
| left the implementation up to the developer (along with an
| optional script they could use).
|
| They also provided several options for sending the data, just to
| guarantee that the extension couldn't be compromised by their
| code. This one stood out from the rest for me. Curious though if
| I'm missing some way that this could be used for nefarious
| purposes though. Full text of the proposal below:
|
| ------
|
| I'm sure you get business proposals all the time, so I'll get
| straight to the point. I hope what I'm proposing is a little
| different and might actually interest you. I like Hover Zoom+ as
| a great alternative to it's bigger brother Hover Zoom that lost
| its glamour over the last couple of months.
|
| We're conducting a DNS error research and we're interested in
| small amounts of anonymous data that you might be able to provide
| via your Chrome extension. Our research has been going on for
| years and Google has never had the slightest problem with it.
|
| Compatible with Google's strict policies No personal user data No
| ads, no malware The data we're interested in are basically just
| DNS errors:
|
| NXD - Non Existent Domain - the domain that a user entered that
| resulted in a DNS error. A time stamp - when it happened. GEO -
| where it happened (USA, UK, RU etc.). A unique randomly generated
| user ID (can be hashed, not traceable back to the user). Please,
| don't confuse this with the user IP address. And that's all. You
| can either use our script or collect the data on your own and
| send it to us via an FTP server, API etc. There's a lot of
| different ways we can do this. We pay on a monthly basis. The
| payments depend on user GEOs, but it would be in thousands of
| dollars per year.
|
| Is this worth at least a brief discussion? Looking forward to
| hearing from you.
|
| A while back I reached out to you regarding a DNS error research
| our company conducts. Hover Zoom+ would be an ideal medium for
| our research. In return, this could become a solid new revenue
| stream for you.
|
| Our method has been going on for years and we've never had the
| slightest problem with Google. We pay regularly on a monthly
| basis. For you it would be in tens of thousands of dollars per
| year - the amount depends on your users base and data quality.
|
| If you're concerned about including third party scripts, there's
| still a lot of ways we can make this work.
|
| Please let me know if this is worth a brief discussion to you.
| bensecure wrote:
| non existent domains are the ones that are most likely to be
| somehow personal to the user, because they weren't trying to
| enter a domain at all but it got interpreted as one
| accidentally. Eg a password they meant to type into a password
| field but the url bar was highlighted. If they were interested
| in statistics regarding popular domains, like google or
| facebook, then it would actually be less of a privacy
| intrusion, because it would only end up telling you about
| populations, not individual users.
|
| I don't know what they actually intended to use this data for,
| but its telling that they don't mention that in their proposal.
| aembleton wrote:
| If they find out which domains people are mis-typing, then they
| can buy them and use them to steal login credentials.
| headline wrote:
| Hell I have gotten offers like this on a Discord bot, even.
| Wherever user data can be found, there are those who'd like to
| have their finger on the pulse
| ZephyrBlu wrote:
| This one is interesting because it seems harmless, if not even
| helpful (Monitoring DNS errors). What am I missing here?
|
| _" I'm sure you get business proposals all the time, so I'll get
| straight to the point. I hope what I'm proposing is a little
| different and might actually interest you. I like Hover Zoom+ as
| a great alternative to it's bigger brother Hover Zoom that lost
| its glamour over the last couple of months._
|
| _We 're conducting a DNS error research and we're interested in
| small amounts of anonymous data that you might be able to provide
| via your Chrome extension. Our research has been going on for
| years and Google has never had the slightest problem with it._
|
| _- Compatible with Google's strict policies_
|
| _- No personal user data_
|
| _- No ads, no malware_
|
| _The data we're interested in are basically just DNS errors:_
|
| _- NXD - Non Existent Domain - the domain that a user entered
| that resulted in a DNS error._
|
| _- A time stamp - when it happened._
|
| _- GEO - where it happened (USA, UK, RU etc.)._
|
| _- A unique randomly generated user ID (can be hashed, not
| traceable back to the user). Please, don't confuse this with the
| user IP address._
|
| _And that's all. You can either use our script or collect the
| data on your own and send it to us via an FTP server, API etc.
| There's a lot of different ways we can do this. We pay on a
| monthly basis. The payments depend on user GEOs, but it would be
| in thousands of dollars per year._
|
| _Is this worth at least a brief discussion? Looking forward to
| hearing from you._
|
| _A while back I reached out to you regarding a DNS error
| research our company conducts. Hover Zoom+ would be an ideal
| medium for our research. In return, this could become a solid new
| revenue stream for you._
|
| _Our method has been going on for years and we've never had the
| slightest problem with Google. We pay regularly on a monthly
| basis. For you it would be in tens of thousands of dollars per
| year - the amount depends on your users base and data quality._
|
| _If you're concerned about including third party scripts,
| there's still a lot of ways we can make this work._
|
| _Please let me know if this is worth a brief discussion to you.
| "_
| TehCorwiz wrote:
| This would expose internal DNS names when in an environment
| where they're not connected to their private DNS server.
| js2 wrote:
| Probably looking for domains that are commonly typo'd that they
| can purchase and run ads on.
| tysam_and wrote:
| Well, money's changing hands, and they're not specifying any
| clear intent of goodwill.
|
| Therefore, there is likely some business interest at best, or
| anti-user behavior at worst.
|
| It's not hard to write a script that ostensibly does one thing
| but very sneakily carries information about another thing. For
| example, write a bad 'hashing' function? Piece of cake.
|
| Always follow the gradient of ATP.
| sigilis wrote:
| They want to know what domains people are mistyping or are
| interested in so they can more efficiently scam them, I'd
| wager.
| janwillemb wrote:
| Just a guess: they could buy domain names that are available
| and for some reason get queries. For example often misspelled
| domains. This would not be forbidden but still a little shady.
| matsemann wrote:
| And then they will add a phishing site on that domain,
| looking like the one they meant to type, and scam people. So
| very shady, I think.
| threecoins wrote:
| Typo squatting research. See what users frequently mistype and
| receive NX reply so that they can register it and serve ads or
| do phishing or such.
| ianhawes wrote:
| My guess is either mapping out internal networks for nefarious
| purposes or finding expired/dead domains that still receive
| traffic.
| inopinatus wrote:
| Aside from the private network mapping and typo-squatting
| potential, this also sets off my trap detection.
| cal85 wrote:
| FWIW, and since a few of you probably use it... I own the JSON
| Formatter extension [0], which I created and open-sourced 12
| years ago and have maintained [1] ever since, with 2 million
| users today. And I solemnly swear that I will never add any code
| that sends any data anywhere, nor let it fall into the hands of
| anyone else who would.
|
| I've been emailed several tempting cash offers from shady people
| who presumably want to steal everyone's data or worse. I
| sometimes wish I had never put my name on it so I could just take
| the money without harming my reputation, but I did, so I'm stuck
| with being honourable. On the plus side I will always be able to
| say that I never sold out.
|
| [0] https://chrome.google.com/webstore/detail/json-
| formatter/bcj...
|
| [1] low effort tbh
| extesy wrote:
| If cash offers scale linearly with the number of users, then
| yours would be pretty tempting indeed. Respect for not selling
| out! Would you like to start publishing these offers, like what
| I'm doing?
| cal85 wrote:
| Yeah I'm definitely stealing this idea, I love it. Will add
| something to the repo soon.
| [deleted]
| Y_Y wrote:
| What size cash offers? Not that I want some of it, but then I
| do think there could be an industry re-scamming these people
| and want to know how much we're talking about.
| cal85 wrote:
| Convincing offers to buy it for $10-40K. One offer said $250K
| but I doubt that one was serious, more likely just a straight
| up scam. I have often emailed them back feigning interest to
| see if I can get them to state what they plan to do with it,
| since I cannot see anything that could possibly be ethical,
| but they always just start talking mumbo jumbo about their
| innovative monetisation strategy.
|
| Recently I've had a serious sounding offer to inject an ad,
| i.e. a one-off ad would open in a new tab when the extension
| updates, for $3K a pop, which I just ignored, then he emailed
| again saying $4K, then just yesterday he emailed again with a
| bunch of emoji and said what about $8K.
|
| It's tempting, but it would still be selling out my users,
| who may be ungrateful little brats but I could never do that
| to them, I value their approval too much.
| Y_Y wrote:
| Thank you very much for the very informative response. As
| with any offer I think it's crucial to know what's at
| stake. You're very admirable for turning down tens of
| thousands, but if it had been tens of millions I'd have
| been questioning your judgement, as morally odious as the
| buyer might be.
|
| See also: https://news.ycombinator.com/item?id=14808881
| r1ch wrote:
| I used to have an extension that promised to never be sold or
| even updated beyond the initial release, since it was a one-
| liner that can't possibly ever need to change. The Chrome Web
| Store took it down after 5+ years, presumably because I never
| published an update so the the now-mandatory fields were empty.
| madrox wrote:
| I've used this extension for years. Thank you for your service.
| I agree open source users are the worst.
| hot_gril wrote:
| This reminds me of a dirty plan I had as a kid in middle school.
|
| 1. Make a legitimately useful Minecraft Bukkit plugin.
|
| 2. Wait for lots of installs.
|
| 3. Add a well-hidden backdoor that makes me "op" (admin) on any
| server I choose.
|
| 4. Surprise some mean op on a public server by suddenly banning
| him.
|
| I got through step 2 then decided to stop there.
| huksley wrote:
| ...<<The WHOLE WORLD (WW) is monetized.>>...
| jallasprit wrote:
| I found it interesting to see ChatGPT being used on the later
| requests.
| GeekyBear wrote:
| Things have gotten bad enough that I've stopped using extensions
| that haven't been through a code vetting process.
|
| > Recommended extensions differ from other extensions that are
| regularly reviewed by Firefox staff in that they are curated
| extensions that meet the highest standards of security,
| functionality, and user experience. Firefox staff thoroughly
| evaluate each extension before it receives Recommended status.
|
| https://support.mozilla.org/en-US/kb/recommended-extensions-...
|
| If your browser doesn't have a code vetting process for
| extensions, I'm not interested in your browser.
| c7DJTLrn wrote:
| What does that mean in reality? Pretty sure Chrome Web Store
| extensions are reviewed, but since they're all minified and
| obfuscated garbage, I wonder how easily malicious code could
| slip through. I'm surprised there hasn't been a mass cookie
| stealing attack yet.
| GeekyBear wrote:
| > What does that mean in reality?
|
| It means taking malware seriously, even if that means you
| have to pay human beings to vet code manually. I realize that
| Google wants to avoid paying human beings at all costs, but
| too bad.
| extesy wrote:
| Maintainer here. My extension is pretty much unmonetizable so any
| offer I receive would require some degree of a moral sacrifice.
| The least intrusive offer I've seen so far is to put a reciprocal
| link to somebody else's extension inside of mine, kind of like
| DarkReader is doing on their website. Even though it won't
| compromise any of my users data, the reason I'm not doing this is
| because it indirectly endorses that other extension and I don't
| control what they do with their users data.
| donkeydoug wrote:
| Hi, I used to love hoverzoom... was there a malware scare a
| while back or am I thinking of a similarly named plugin ? At
| the time I switched to imagus & adjusted to it. Either way,
| thanks for turning away the monetization attempts :)
| pynappo wrote:
| that was hover zoom (the original) not hover zoom+ (the fork
| by GP)
| justsid wrote:
| I really appreciate the transparency from you. I don't use
| Chrome anymore, but back in the day I absolutely loved Hover
| Zoom+ and my wife is still loving it to this day. It's a great
| extension and having read your comment and the linked Github
| issue, I feel even better about it. Thanks for your hard work.
| extesy wrote:
| Thank you for the kind words. I actually publish hoverzoom+
| to Firefox and Edge as well (links are in the repo's readme)
| so you can use it there too.
| imoreno wrote:
| You're doing a very admirable thing, and this helps dispel the
| little voiced but commonly held perception that "everybody
| sells out" when they get big.
| fancy_pantser wrote:
| I have had this exact experience for years now, which I described
| previously on HN: https://news.ycombinator.com/item?id=25848333
|
| Some good discussion in that thread too :)
| jdthedisciple wrote:
| What's wrong with selling data if it's _truly_ anonymized?
| xboxnolifes wrote:
| If it was up-front and clear in scope and intent, I would have
| much fewer problems with it. But, I don't think I've ever some
| across software that clearly and explicit listed the scope of
| what will be tracked (and how), clearly stated that it was
| intended to be sold, and gathered clear and explicit consent
| from the user.
| ptx wrote:
| It will inevitably turn out later, when the data has already
| leaked, that due to an oversight or a bug or a misconfiguration
| it wasn't truly anonymized after all.
| extesy wrote:
| It would require collecting this data in the first place. Since
| it's not related to the primary functionality of the extension,
| it would require me to declare it in the privacy policy and
| extension stores. Probably needs additional access permissions
| as well. It's much easier to just not collect anything at all.
| donatj wrote:
| Oh, hey! I just got my first one of those for my extension a
| couple days ago. I just marked it as spam and moved on with my
| life.
|
| Shameless self promotion - Open source chrome tab search way more
| powerful than the newish built in search (supports quotes,
| negative searches, things like host:example.com, etc).
|
| https://chrome.google.com/webstore/detail/tabasco/apnefdpgai...
| karaterobot wrote:
| This is terrifying. I'm glad the developer of Hover Zoom+ is both
| ethical and has a backbone. He demures, but I know that having a
| decent job has not kept other people from taking the money when
| presented with similar offers. I see that he's in this thread,
| so: hats off to you.
|
| What I'd like to know is, how many different entities are
| represented in this compilation? Since everything is redacted,
| it's not easy to tell. I was surprised that there are so many
| offers by, seemingly, so many different scumbags. I mean people.
| butz wrote:
| Nuking all extensions that use any of the listed "monetization
| platforms" would make Chrome extension store a safer place for
| everyone.
| theandrewbailey wrote:
| They will just rename everything and operate under a new shell
| company. Then everything will be back to the status quo.
| odensc wrote:
| Can confirm. A couple years ago, I had a Chrome extension with
| ~100k users; I was receiving these types of emails every week.
|
| One of them straight up offered $10k, whether that was a real
| offer or not I don't know because I never replied to any of them.
|
| I've since taken down the extension as I'm no longer maintaining
| it, but weirdly I still get these emails, albeit less frequently.
| [deleted]
| [deleted]
| mfrisbie wrote:
| ChatGPT for Google was #1 on HN earlier this year. Check out the
| GitHub repo now: that person sold the extension.
|
| I had a small side project extension, ~25,000 installs & free to
| use. I got enough inbound interest trying to "help me monetize"
| that I thought it would be worth cataloguing all the different
| unsavory avenues: https://mattfrisbie.substack.com/p/the-ugly-
| business-of-mone...
| ericd wrote:
| The most galling offer we saw on the mobile app side was
| something that would turn on the user's microphone, and listen
| for ads on tvs around them to track what they'd been exposed to
| offline. Adtech is such a thoroughly gross field.
| Raed667 wrote:
| So your app already had microphone/audio permission granted
| for legitimate reasons or were they going to do the pop-up
| after the update?
| ericd wrote:
| Nah, we didn't ask for any permissions at the time iirc,
| except gps if/when people wanted to use that to hop the map
| to the right spot.
| jstanley wrote:
| But every time this comes up the threads are flooded with
| people saying it doesn't actually happen and the ad companies
| just work out what you're interested in by what you're
| browsing.
| vkou wrote:
| Fly-by-night ad networks might engage in this. Ad networks
| that are in the sights of regulators, and can be slapped
| with $X billion fines, that may well exceed the marginal
| revenue produced by improved tracking[1] are going to be a
| bit antsier around doing that sort of thing.
|
| [1] How much more money will a $100B ad business make if
| they improved tracking accuracy by %1? It's some positive
| number, but _significantly_ less than $1B.
| consumer451 wrote:
| Would a top tier ad network be exposed to any liability
| if the fly-by-night did the sketchy work, then the top
| tier bought that "anonymized" data?
| luma wrote:
| So instead they buy that data from the fly-by-night
| operators and carry on as usual. That's the key problem
| here, this data only needs to be collected by one shady
| operator, "the market" will handle the rest.
| cryptoz wrote:
| That was an official feature of the Facebook app at one
| point. Like 10 years ago. It's absurd that anyone would
| deny this. It was right there as a feature! Default off I
| think. But it was definitely there.
| Buttons840 wrote:
| > the ad companies _just_ work out what you 're interested
| in
|
| The word "just" doesn't belong in that sentence. The ad
| companies being able to know things about you without
| actually listening to you is even more scary.
|
| Evil-Ad-Company Neo: "You're telling me I can know things
| about my customers by secretly listening to them?"
|
| Evil-Ad-Company Morpheus: "No Neo, I'm telling you that
| with the right license agreements, data sharing
| partnerships, and algorithms, you wont need to secretly
| listen to them."
| Brusco_RF wrote:
| I mean showing you ads for diapers because you googled
| "best diapers" falls under that same category and I
| daresay isn't evil at all
| kelnos wrote:
| Advertising, by its very nature, is emotional
| manipulation with the goal of getting you to give up some
| of your money for something you most likely don't really
| need and won't improve your life all that much, if at
| all. To me, that's evil.
|
| Sure, there are varying degrees of this evil, but IMO
| even the least-objectionable advertising out there still
| can't be called "good".
|
| In my experience, the case where advertising gets you to
| buy something that ends up being materially useful, that
| you would not have bought (or found a substitute for)
| without that advertising, is the exception, not the rule.
|
| Oh, and to address your specific example: if you search
| "best diapers", and get shown _ads_ for diapers, that
| absolutely _is_ evil, because some ad-presentation
| algorithm is pushing you toward whatever diapers will
| generate the most money for the ad network, likely not
| toward which diapers are best. Not to mention that
| "best" often means different things to different people,
| and the ad networks only care about that insofar it
| increases their profit.
| munk-a wrote:
| I am pretty convinced that modern advertising - from the
| most inane and innocent to tracking users 24/7 pretty
| clearly falls under evil. Gone are the days of
| advertising trying to raise product awareness and convert
| purchases - that field now exists to create demand. It
| induces desires in the recipients that play on
| psychological factors like FOMO to create customers out
| of thin air - and that process causes we the consumer to
| pay a constant attention tax and suffer higher levels of
| stress in our daily lives.
|
| Advertising is evil.
| andrepd wrote:
| I'm not a radical about many subjects, but I'm certainly
| radically anti-advertising.
| iraqmtpizza wrote:
| Advertising is nudge theory without the do-gooder
| mystique
| sublinear wrote:
| You do realize all forms of media embed advertising
| directly into the content going right back to the
| beginning, right? There's nothing modern about it.
| Showing you a product when you actually want to see it is
| the most effective way to induce demand. All your
| favorite shows, movies, youtube personalities, etc. still
| do this.
| RHSeeger wrote:
| Sure, if you take the most benign examples, it doesn't
| sound so bad. But it's so much worse than that. Going
| back to 2012 for "acting on data analysis gone wrong"
|
| Target Sends Coupons to Pregnant Girl and Unawares Dad
| Explodes
|
| https://www.workplaceethicsadvice.com/2012/02/target-
| sends-c...
|
| > Pole had identified about 25 products that, when
| analyzed together, allowed him to assign each shopper a
| "pregnancy prediction" score. More important, he could
| also estimate her due date to within a small window, so
| Target could send coupons timed to very specific stages
| of her pregnancy.
|
| And things just get worse from there, as companies figure
| out more and more ways they can extract information from
| the information they have about you, and share it with
| each other.
| Rygian wrote:
| Those two categories are really far away from each other.
|
| Googling X is a voluntary act to search for X.
|
| Speaking about X with a friend, while the phone sits in a
| bag nearby, has exactly zero connotations of wanting to
| search for X.
| iforgotpassword wrote:
| And that all this information gathering for targeting
| absolutely matters.
| afavour wrote:
| Two different things. The popular conspiracy theory is that
| the phone listens to and presumably transcribes your
| conversations, sending them to a third party. The example
| the OP gave is specifically listening for TV content:
| they'll have hashes of known ads/shows/whatever to compare
| against rather than do something like live transcription.
|
| Don't get me wrong it's shitty and gross. But they are
| different things.
| tjoff wrote:
| The _only_ reason they don 't do that is because our
| devices aren't powerful enough to do it all the time.
| afavour wrote:
| I don't disagree with you but the fact remains: they
| aren't doing it.
| ehsankia wrote:
| Both iOS and Android show when your microphone is active
| so the whole conspiracy theory about it always listening
| to you and sending it back is pretty bullshit. And no one
| has yet found evidence of such network traffic either.
| AlInGaP_Diode wrote:
| except it's always listening for you to say "siri" or
| "google assisstent". Some androids also show what music
| is playing nearby. You can thankfully opt-out but the
| ability to is still there.
| ta988 wrote:
| They do that with local processing. For the music thing
| it calculates a hash locally and send it to their
| servers.
| SketchySeaBeast wrote:
| True, but the theory is far older than the indicators. So
| maybe Facebook stopped being sneaky once those controls
| came in? Not saying I believe them, but there's still
| room for doubt there.
| spiderice wrote:
| Your phone notifies you when an app accesses the
| microphone. If this is happening so much, how is it not
| blatantly obvious?
| mike_d wrote:
| Why do you think iOS and Android now prompt for
| microphone usage?
| alyandon wrote:
| Android phones that are 8 major versions out of date
| because the OEM won't support them probably don't have
| that feature.
| ehsankia wrote:
| 8 major versions, that is surely less than 5% of the
| Android population. I'm sure the security flaws in those
| non-updated phones is far more serious than the lack of
| microphone indicator.
| onli wrote:
| According to
| https://source.android.com/docs/core/permissions/privacy-
| ind..., the microphone indicator is only in there since
| Android 12. Android 12 and 13 cover only 50% of Android
| phones, according to https://gs.statcounter.com/os-
| version-market-share/android/m.... There were some
| "access to the microphone is restricted for background
| apps" changes earlier, reported for Android 9. But I
| wouldn't rely on them, and even if those restriction
| always worked, that still made ~10% of Android phones
| vulnerable.
| alyandon wrote:
| I was being a bit tongue-in-cheek with the 8. However, it
| is just as valid to talk about unpatched security flaws.
| rcfox wrote:
| When I worked on audio firmware for the BlackBerry, one of
| the external devices I had to support was called a "security
| plug", which just shorted the headset mic and headphones to
| ground. It always seemed kind of silly to me because there
| was still the handset mic on the phone that could be
| activated separately.
| comboy wrote:
| Why broadcasted ads which are the same for everybody? Is it
| trying to track effectiveness of these ads?
| lmm wrote:
| Probably to target an ad for the same product/service at
| someone who was in the same room as a TV ad. About 10 years
| ago I worked for an ad targeting company and we got ~50%
| more click-through on a web ad just by showing it shortly
| after a TV ad aired in that location (just using the geoip
| timezone and hoping they might've been watching the right
| channel), if you could do that only for people who've
| actually been exposed to the TV ad there's the potential
| for huge uplift there.
| jrockway wrote:
| Why not? Your cable company would like to charge you extra
| if you mute the ads or use the bathroom during ad breaks.
| That's just capitalism.
| uhtred wrote:
| so this really does happen then? Because I used to be
| convinced it wasn't a coincidence when I saw ads online for
| some niche uncommon topic I had recently talked out loud
| about.
| gregschlom wrote:
| This matches the audio signature of the TV ad - basically,
| it's like Shazam, but for TV ads.
|
| It's currently not economically possible to listen to
| user's conversations, transcribe them to text, and serve
| ads based on that. It would cost orders of magnitude more
| in processing power than you could get from the extra
| sales.
|
| This might change in the future, of course
| jabradoodle wrote:
| Wouldn't cost that much if the transcribing is done on
| device
| camdat wrote:
| This would be immediately obvious in a cursory analysis
| of performance. On-device transcription is not only
| computationally infeasible, it would also require model
| capabilities far beyond what is currently SOTA.
|
| Google had (and has afaik) significant challenges
| implementing multiple wake-word detection for precisely
| this reason.
|
| Transcribing a couple of words accurately on-device
| without a major performance penalty (so that it can be
| running in the background always) is just _barely_ coming
| out now.
| jabradoodle wrote:
| I would have to take your word for it but my phone is
| able to transcribe speech with no problem and no internet
| connection.
|
| Of course running it 24/7 in the background would ruin my
| battery, you would have to be smarter than that.
| ct520 wrote:
| rewind.ai has entered chat.
| ericd wrote:
| Yeah, my understanding was that it was audio
| fingerprinting tv ads, not transcribing anything, but I
| wouldn't be surprised if they were trying to vacuum up
| other stuff. That said, I think it should be feasible to
| do basic low-accuracy transcription on-device, especially
| with all the neural engine hardware making inference more
| efficient.
| pr0zac wrote:
| I am not at all surprised to see one of the emails you got
| matches exactly (other than the extension name) one from the
| linked post. Definitely a lot of this crap is heavily
| automated.
|
| > I'm a fan of [extension name] and I really like how
| convenient and useful it is.
|
| > Have you considered offering promotional spots to those
| interested in promoting their products on your extension? I'm
| interested in promoting my own extension on [extension name]
| and would love to discuss this possibility with you.
|
| > Let me know if you're open to this.
| thallavajhula wrote:
| This is so true. I receive these emails every week. I've even had
| offers about acquisition that I had to turn down. Having a
| "Featured" chrome extension does seem to attract a lot of these
| offers. The more emails/offers I receive, the more I'm convinced
| that I shouldn't give up the extension.
|
| For those curious, here's the GitHub repo of my extension:
| https://github.com/mohnish/rearrange-tabs
___________________________________________________________________
(page generated 2023-08-09 23:00 UTC)